Certificates
Right! That’s my kind of ball game 
Let me see what I can help you with…
- When you’re building a TLS connection, the client side (the “output”) should be able to verify the server side’s (the “input”) certificate.
- The server side will need a proper, valid certificate. Please don’t muck around on the Internet with self-signed certificates!
- The server side’s certificate will issued by a CA (certificate authority). This can be your company’s own CA, both to save on money and to provide an extra hurdle for a MitM-attack.
- The client side will need to have a “trust store”, which will tell it which CA’s it can trust. In this case, that trust store will only contain the cert of the CA that issued the server’s certificate.
- Yes, on the client side you must specify TLS validation.
- For added security, you can also enable TLS validation on the server’s side. This means that the sending side will need a certificate of its own, which is also issued by a trusted CA.
The config that’s required outside of Graylog is something I’ve documented in the following thread: